Hacks to get Loopback App’s running on Heroku

To get Loopback App’s running on Heroku, a couple of hacks are required due to the way Loopback manages it’s configurations.

The first issue to solve is to get Loopback to take the port number from the environment since Heroku uses arbitrary port numbers to target different applications.

There is probably a more elegant way, however I first wanted to stay out of node_modules files, so I opted to just focus on modifying server.js.

It’s actually very easy, since loopback internally supports passing arguments to the listen function all the way out from the server.js file.
It does this by switching between automatic configuration and explicit configuration from the arguments passed to the listen function.

So, basically it’s just amending the “start” function to fetch the port number from the environment and pass it as argument to the listen function.

I have done it this way…

app.start = function () {
   // start the web server
   var port = process.env.PORT || 8000;
   return app.listen(port, function () {
      console.log('Web server listening at: %s', app.get('url'));

Simple WhoAmI for Loopback

Retrieving the currently authenticated user in a Loopback Application can be done in many ways, and one of them is the one I want to share in this post.

I wanted to be able to utilise the Angular SDK as well as the Explorer, so adding a routing manually in a boot script was not really an option, however simple that might be, so I decided to opt for implementing it as a custom Model.

The first thing to do is to create a whoami.json and whoami.js file in the commons directory.


  "name": "WhoAmI",
  "base": "Model",
  "plural": "whoami",
  "acls": [
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "permission": "ALLOW"


module.exports = function (WhoAmI) {

    WhoAmI.whoAmI = function (req, next) {
        var AccessToken = WhoAmI.app.models.AccessToken;
        AccessToken.findForRequest(req, {}, function (aux, accesstoken) {
            var UserModel = WhoAmI.app.models.User;
            UserModel.findById(accesstoken.userId, function (error, user) {
                next(error, user);

            accepts: {arg: 'req', type: 'object', http: {source: 'req'}},
            returns: {arg: 'user', type: 'object'},
            http: {path: '/', verb: 'get'}

Secondly, I make sure to add the model to the model-config.json

"WhoAmI": {
  "dataSource": null,
  "public": true

Now, when you restart the server, you will see the following endpoint having been added to your API


And because of the ACL’s we set in the model, all requests without an access-token are handled by the security of Loopback… so there you go, a nice and easy WhoAmI !

Alternatively… a bootscript

If you for some reason should be inclined to prefer putting it in a boot script, all you have to do is to create a file in the boot directory of the server with the following content

module.exports = function (server) {

    var router = server.loopback.Router();

    router.get('/whoami', function (req, res) {

        var AccessToken = server.models.AccessToken;
        AccessToken.findForRequest(req, {}, function (aux, accesstoken) {
            if (accesstoken == undefined) {
                    'Error': 'Unauthorized',
                    'Message': 'You need to be authenticated to access this endpoint'
            else {
                var UserModel = server.models.User;
                UserModel.findById(accesstoken.userId, function (err, user) {


Gist: https://gist.github.com/pmoelgaard/af6aa61146766f0e8551